@csrf-armor/nuxt@1.1.0

Minor Changes

• #40 4fdec35 Thanks @muneebs! - Add @csrf-armor/nuxt module for Nuxt 3/4 applications

  Introduces a new Nuxt module that provides server-side CSRF protection via a Nitro middleware and client-side utilities for token management.

  Features:

  • NuxtAdapter bridges H3 events with the framework-agnostic @csrf-armor/core engine
  • Server middleware automatically enforces CSRF protection on all mutating requests
  • useCsrfToken composable for SSR-safe token access via useState
  • useCsrfFetch composable wrapping $fetch with automatic CSRF token injection
  • Client plugin initialises the token on page load
  • Full support for all core strategies: double-submit, signed-double-submit, signed-token, origin-check, hybrid
  • Zero runtime dependencies — uses H3Event native Web API (event.method, event.headers, event.path) and Node.js built-ins instead of h3 helper functions

@csrf-armor/nextjs@1.4.1

Patch Changes

• #36 6b591f6 Thanks @muneebs! - ## SECURITY FIXES: Critical timing attack vulnerabilities and dependency updates

  This release addresses critical security vulnerabilities and updates all vulnerable dependencies.

  Critical Security Fixes

  Timing Attack Vulnerabilities (CRITICAL)

  Fixed three timing attack vulnerabilities in CSRF token validation that could allow attackers to reconstruct valid tokens through timing analysis:

  • validateDoubleSubmit (validation.ts:104): Replaced non-constant-time string comparison with timingSafeEqual()
  • validateSignedDoubleSubmit cookie check (validation.ts:142): Fixed cookie integrity comparison to use constant-time equality
  • validateSignedDoubleSubmit token matching (validation.ts:147): Fixed token comparison to prevent timing side-channel attacks

  These vulnerabilities could have allowed attackers to bypass CSRF protection entirely by analyzing response timing patterns. All token comparisons now use cryptographically constant-time operations.

  Weak Secret Generation (HIGH)

  Fixed default secret generation (constants.ts:146) that produced weak comma-separated decimal strings instead of proper base64-encoded secrets. Now uses generateSecureSecret() for high-entropy, properly-encoded secrets.

  Dependency Security Updates

  All vulnerable dependencies have been updated to patched versions:

  • qs (CVE-2025-15284): Updated to >=6.14.1 via pnpm override - fixes DoS vulnerability via memory exhaustion
  • diff (CVE-2026-24001): Updated to 8.0.3 via tsdown 0.20.1 - fixes denial of service vulnerability
  • js-yaml: Updated via @changesets/cli 2.29.8 - resolves YAML parsing vulnerabilities
  • next (npm advisories: 1112593, 1112638, 1112649): Updated to 16.1.6 - fixes multiple security vulnerabilities including CVE-2025-59471, CVE-2025-59472, and CVE-2026-23864

  Other Updates

  • Updated @biomejs/biome to 2.3.13
  • Updated @types/node to 20.0.0 (fixes peer dependency warnings)
  • Updated vitest and related packages to 4.0.18
  • Updated typescript to 5.9.3
  • Updated jsdom to 27.4.0
  • Updated package exports to match new tsdown output format (.mjs files)

  Security Impact

  • ✅ Zero critical vulnerabilities remaining
  • ✅ Zero high-severity vulnerabilities remaining
  • ✅ No remaining known CVEs after upgrade (verified via pnpm audit)
  • ✅ All 66 tests passing across all packages

  Upgrade Priority: CRITICAL - All users should upgrade immediately to address timing attack vulnerabilities.

• Updated dependencies [6b591f6]:

  • @csrf-armor/core@1.2.1

@csrf-armor/express@1.2.1

Patch Changes

• #36 6b591f6 Thanks @muneebs! - ## SECURITY FIXES: Critical timing attack vulnerabilities and dependency updates

  This release addresses critical security vulnerabilities and updates all vulnerable dependencies.

  Critical Security Fixes

  Timing Attack Vulnerabilities (CRITICAL)

  Fixed three timing attack vulnerabilities in CSRF token validation that could allow attackers to reconstruct valid tokens through timing analysis:

  • validateDoubleSubmit (validation.ts:104): Replaced non-constant-time string comparison with timingSafeEqual()
  • validateSignedDoubleSubmit cookie check (validation.ts:142): Fixed cookie integrity comparison to use constant-time equality
  • validateSignedDoubleSubmit token matching (validation.ts:147): Fixed token comparison to prevent timing side-channel attacks

  These vulnerabilities could have allowed attackers to bypass CSRF protection entirely by analyzing response timing patterns. All token comparisons now use cryptographically constant-time operations.

  Weak Secret Generation (HIGH)

  Fixed default secret generation (constants.ts:146) that produced weak comma-separated decimal strings instead of proper base64-encoded secrets. Now uses generateSecureSecret() for high-entropy, properly-encoded secrets.

  Dependency Security Updates

  All vulnerable dependencies have been updated to patched versions:

  • qs (CVE-2025-15284): Updated to >=6.14.1 via pnpm override - fixes DoS vulnerability via memory exhaustion
  • diff (CVE-2026-24001): Updated to 8.0.3 via tsdown 0.20.1 - fixes denial of service vulnerability
  • js-yaml: Updated via @changesets/cli 2.29.8 - resolves YAML parsing vulnerabilities
  • next (npm advisories: 1112593, 1112638, 1112649): Updated to 16.1.6 - fixes multiple security vulnerabilities including CVE-2025-59471, CVE-2025-59472, and CVE-2026-23864

  Other Updates

  • Updated @biomejs/biome to 2.3.13
  • Updated @types/node to 20.0.0 (fixes peer dependency warnings)
  • Updated vitest and related packages to 4.0.18
  • Updated typescript to 5.9.3
  • Updated jsdom to 27.4.0
  • Updated package exports to match new tsdown output format (.mjs files)

  Security Impact

  • ✅ Zero critical vulnerabilities remaining
  • ✅ Zero high-severity vulnerabilities remaining
  • ✅ No remaining known CVEs after upgrade (verified via pnpm audit)
  • ✅ All 66 tests passing across all packages

  Upgrade Priority: CRITICAL - All users should upgrade immediately to address timing attack vulnerabilities.

• Updated dependencies [6b591f6]:

  • @csrf-armor/core@1.2.1

@csrf-armor/core@1.2.1

Patch Changes

• #36 6b591f6 Thanks @muneebs! - ## SECURITY FIXES: Critical timing attack vulnerabilities and dependency updates

  This release addresses critical security vulnerabilities and updates all vulnerable dependencies.

  Critical Security Fixes

  Timing Attack Vulnerabilities (CRITICAL)

  Fixed three timing attack vulnerabilities in CSRF token validation that could allow attackers to reconstruct valid tokens through timing analysis:

  • validateDoubleSubmit (validation.ts:104): Replaced non-constant-time string comparison with timingSafeEqual()
  • validateSignedDoubleSubmit cookie check (validation.ts:142): Fixed cookie integrity comparison to use constant-time equality
  • validateSignedDoubleSubmit token matching (validation.ts:147): Fixed token comparison to prevent timing side-channel attacks

  These vulnerabilities could have allowed attackers to bypass CSRF protection entirely by analyzing response timing patterns. All token comparisons now use cryptographically constant-time operations.

  Weak Secret Generation (HIGH)

  Fixed default secret generation (constants.ts:146) that produced weak comma-separated decimal strings instead of proper base64-encoded secrets. Now uses generateSecureSecret() for high-entropy, properly-encoded secrets.

  Dependency Security Updates

  All vulnerable dependencies have been updated to patched versions:

  • qs (CVE-2025-15284): Updated to >=6.14.1 via pnpm override - fixes DoS vulnerability via memory exhaustion
  • diff (CVE-2026-24001): Updated to 8.0.3 via tsdown 0.20.1 - fixes denial of service vulnerability
  • js-yaml: Updated via @changesets/cli 2.29.8 - resolves YAML parsing vulnerabilities
  • next (npm advisories: 1112593, 1112638, 1112649): Updated to 16.1.6 - fixes multiple security vulnerabilities including CVE-2025-59471, CVE-2025-59472, and CVE-2026-23864

  Other Updates

  • Updated @biomejs/biome to 2.3.13
  • Updated @types/node to 20.0.0 (fixes peer dependency warnings)
  • Updated vitest and related packages to 4.0.18
  • Updated typescript to 5.9.3
  • Updated jsdom to 27.4.0
  • Updated package exports to match new tsdown output format (.mjs files)

  Security Impact

  • ✅ Zero critical vulnerabilities remaining
  • ✅ Zero high-severity vulnerabilities remaining
  • ✅ No remaining known CVEs after upgrade (verified via pnpm audit)
  • ✅ All 66 tests passing across all packages

  Upgrade Priority: CRITICAL - All users should upgrade immediately to address timing attack vulnerabilities.

@csrf-armor/nextjs@1.4.0

Minor Changes

• #22 19c15410af4d8faff3c1672bf99129f7d7e43068 Thanks @muneebs! - # improved-token-expiry

  Improve token expiry handling with automatic reissue

  Adds a token reissue threshold mechanism to automatically refresh CSRF tokens before they expire.
  This improves user experience by preventing token expiration errors during long user sessions.

  Key changes:

  • Add 'reissueThreshold' option (default: 500 seconds) to token configuration
  • Change default strategy from 'hybrid' to 'signed-double-submit' for better security
  • Improve token extraction in adapters with better error handling
  • Add comprehensive JSDoc documentation across all packages
  • Fix error handling in Express example app

  This change is backward compatible with existing configurations.

Patch Changes

• Updated dependencies [19c15410af4d8faff3c1672bf99129f7d7e43068]:
  • @csrf-armor/core@1.2.0

@csrf-armor/express@1.2.0

Minor Changes

• #22 19c15410af4d8faff3c1672bf99129f7d7e43068 Thanks @muneebs! - # improved-token-expiry

  Improve token expiry handling with automatic reissue

  Adds a token reissue threshold mechanism to automatically refresh CSRF tokens before they expire.
  This improves user experience by preventing token expiration errors during long user sessions.

  Key changes:

  • Add 'reissueThreshold' option (default: 500 seconds) to token configuration
  • Change default strategy from 'hybrid' to 'signed-double-submit' for better security
  • Improve token extraction in adapters with better error handling
  • Add comprehensive JSDoc documentation across all packages
  • Fix error handling in Express example app

  This change is backward compatible with existing configurations.

Patch Changes

• Updated dependencies [19c15410af4d8faff3c1672bf99129f7d7e43068]:
  • @csrf-armor/core@1.2.0

@csrf-armor/core@1.2.0

Minor Changes

• #22 19c15410af4d8faff3c1672bf99129f7d7e43068 Thanks @muneebs! - # improved-token-expiry

  Improve token expiry handling with automatic reissue

  Adds a token reissue threshold mechanism to automatically refresh CSRF tokens before they expire.
  This improves user experience by preventing token expiration errors during long user sessions.

  Key changes:

  • Add 'reissueThreshold' option (default: 500 seconds) to token configuration
  • Change default strategy from 'hybrid' to 'signed-double-submit' for better security
  • Improve token extraction in adapters with better error handling
  • Add comprehensive JSDoc documentation across all packages
  • Fix error handling in Express example app

  This change is backward compatible with existing configurations.

@csrf-armor/nextjs@1.3.0

Minor Changes

• #19 0fea891851d67aa1c0a216c8a607d47b4bdb3101 Thanks @muneebs! - Add JSR publishing support for dual npm/JSR distribution

  This change adds JSR (JavaScript Registry) publishing capability to enable distribution on both npm and JSR registries.
  Includes jsr.json configuration files for all packages and automated JSR publishing in the release workflow.

  New Features:

  • JSR configuration files (jsr.json) for all packages
  • JSR publishing scripts in package.json
  • Automated JSR publishing in GitHub release workflow
  • Updated release summaries with both npm and JSR installation commands

  Benefits:

  • Reach broader JavaScript ecosystem including Deno users
  • Maintain existing npm workflow while adding JSR support
  • Simplified dual-registry publishing process

Patch Changes

• #21 420ed073cf4d2d1c031b104a41dea08443f2ff6e Thanks @muneebs! - Fix browser navigation token refresh and adapter robustness

  Bug Fixes:

  • Navigation Token Refresh: Fixed issue where users navigating back to cached pages would encounter stale CSRF tokens that were already replaced
  • Adapter Test Failures: Resolved adapter test failures in different environments by improving JSON and text body parsing
  • Request Body Handling: Enhanced token extraction to gracefully handle various request body types and mock objects

  Improvements:

  • Navigation Events: Added comprehensive navigation event listeners (popstate, pageshow) for automatic token refresh
  • Route-based Refresh: Integrated Next.js usePathname for automatic token refresh on route changes
  • Robust Extraction: Improved token extraction with proper fallbacks for production and test environments
  • Test Coverage: Added comprehensive test coverage for concurrent requests and edge cases

  Technical Changes:

  • Enhanced React client with navigation-aware token refresh logic
  • Improved adapter error handling and type safety for different request body formats
  • Added timing-based token staleness detection to prevent using outdated tokens
  • Updated type signatures to be more consistent across validation functions

  This update ensures CSRF tokens remain fresh during browser navigation and improves the reliability of token extraction across different environments.

• Updated dependencies [420ed073cf4d2d1c031b104a41dea08443f2ff6e, 0fea891851d67aa1c0a216c8a607d47b4bdb3101]:

  • @csrf-armor/core@1.1.0

@csrf-armor/express@1.1.0

Minor Changes

• #19 0fea891851d67aa1c0a216c8a607d47b4bdb3101 Thanks @muneebs! - Add JSR publishing support for dual npm/JSR distribution

  This change adds JSR (JavaScript Registry) publishing capability to enable distribution on both npm and JSR registries.
  Includes jsr.json configuration files for all packages and automated JSR publishing in the release workflow.

  New Features:

  • JSR configuration files (jsr.json) for all packages
  • JSR publishing scripts in package.json
  • Automated JSR publishing in GitHub release workflow
  • Updated release summaries with both npm and JSR installation commands

  Benefits:

  • Reach broader JavaScript ecosystem including Deno users
  • Maintain existing npm workflow while adding JSR support
  • Simplified dual-registry publishing process

Patch Changes

• Updated dependencies [420ed073cf4d2d1c031b104a41dea08443f2ff6e, 0fea891851d67aa1c0a216c8a607d47b4bdb3101]:
  • @csrf-armor/core@1.1.0

@csrf-armor/core@1.1.0

Minor Changes

• #19 0fea891851d67aa1c0a216c8a607d47b4bdb3101 Thanks @muneebs! - Add JSR publishing support for dual npm/JSR distribution

  This change adds JSR (JavaScript Registry) publishing capability to enable distribution on both npm and JSR registries.
  Includes jsr.json configuration files for all packages and automated JSR publishing in the release workflow.

  New Features:

  • JSR configuration files (jsr.json) for all packages
  • JSR publishing scripts in package.json
  • Automated JSR publishing in GitHub release workflow
  • Updated release summaries with both npm and JSR installation commands

  Benefits:

  • Reach broader JavaScript ecosystem including Deno users
  • Maintain existing npm workflow while adding JSR support
  • Simplified dual-registry publishing process

Patch Changes

• #21 420ed073cf4d2d1c031b104a41dea08443f2ff6e Thanks @muneebs! - Fix browser navigation token refresh and adapter robustness

  Bug Fixes:

  • Navigation Token Refresh: Fixed issue where users navigating back to cached pages would encounter stale CSRF tokens that were already replaced
  • Adapter Test Failures: Resolved adapter test failures in different environments by improving JSON and text body parsing
  • Request Body Handling: Enhanced token extraction to gracefully handle various request body types and mock objects

  Improvements:

  • Navigation Events: Added comprehensive navigation event listeners (popstate, pageshow) for automatic token refresh
  • Route-based Refresh: Integrated Next.js usePathname for automatic token refresh on route changes
  • Robust Extraction: Improved token extraction with proper fallbacks for production and test environments
  • Test Coverage: Added comprehensive test coverage for concurrent requests and edge cases

  Technical Changes:

  • Enhanced React client with navigation-aware token refresh logic
  • Improved adapter error handling and type safety for different request body formats
  • Added timing-based token staleness detection to prevent using outdated tokens
  • Updated type signatures to be more consistent across validation functions

  This update ensures CSRF tokens remain fresh during browser navigation and improves the reliability of token extraction across different environments.